[SOLVED] Problem related to serialized ID PKCS-11 URI on Windows (USBToken with SmartCard and p12)

[cheatera]

*EDIT: CHECK BELOW FOR A WORKAROUND!
*EDIT2 (LAST I PROMISSE): I think I'm not in the correct section, cause it's a client problem, but I saw similar problem here and posted here. TLDR: forum mod - please move this to the correct section, thanks.

Hello there,
I have an issue regarding the (de)serialized ID. What's the problem exactly:

Code: Select all

Tue Apr 02 13:35:00 2019 us=987057 PKCS#11: Adding PKCS#11 provider 'C:\Program Files\OpenSC Project\OpenSC\pkcs11\opensc-pkcs11.dll'
Tue Apr 02 13:35:00 2019 us=987057 PKCS#11: Adding provider 'C:\Program Files\OpenSC Project\OpenSC\pkcs11\opensc-pkcs11.dll'-'C:\Program Files\OpenSC Project\OpenSC\pkcs11\opensc-pkcs11.dll'
Tue Apr 02 13:35:02 2019 us=236659 PKCS#11: Provider 'C:\Program Files\OpenSC Project\OpenSC\pkcs11\opensc-pkcs11.dll' added rv=0-'CKR_OK'
Tue Apr 02 13:35:02 2019 us=238658 PKCS#11: Cannot deserialize id 19-'CKR_ATTRIBUTE_VALUE_INVALID'
Tue Apr 02 13:35:02 2019 us=238658 Cannot load certificate "pkcs11:model=PKCS%2315;token=Pin%20de%20la%20carte%20%28IAS-ECC%29;manufacturer=Oberthur%20Technologies;serial=;id=%1a%aca%a0%cb%0e%21%d4%a4p%9d%84p%bbVj%a8%fd%dc%14" using PKCS#11 interface

(Please note that Provider 'C:\Program Files\OpenSC Project\OpenSC\pkcs11\opensc-pkcs11.dll' added rv=0-'CKR_OK' says OK, which means the driver and the USB token are working correctly, also I've tested with the card issuer's provided driver - the same error, which leads me to belive it's not driver's fault as both of them are CKR_OK, but give the same CKR_ATTRIBUTE_VALUE_INVALID error)

openvpn --show-pkcs-11-ids:

Code: Select all

C:\Program Files\OpenVPN\bin>openvpn.exe --show-pkcs11-ids "C:\Program Files\OpenSC Project\OpenSC\pkcs11\opensc-pkcs11.dll"

The following objects are available for use.
Each object shown below may be used as parameter to
--pkcs11-id option please remember to use single quote mark.

Certificate
       DN:             CN=vladislav.n
       Serial:         48F488CEF20B068B5BE77FE85803B530
       Serialized id:  pkcs11:model=PKCS%2315;token=Pin%20de%20la%20carte%20%28vladislav.n;manufacturer=Oberthur%20Technologies;serial=;id=%1a%aca%a0%cb%0e%21%d4%a4p%9d%84p%bbVj%a8%fd%dc%14

As far as I undertstand there is a problem with OpenVPN reading the serialized ID by the rfc7512 URI of PKCS-11 https://bugzilla.redhat.com/show_bug.cgi?id=1516474 which looks that is fixed on RedHat.

I've tried with URL Decode the above string and I get

Code: Select all

pkcs11:model=PKCS#15;token=Pin de la carte (vladislav.n;manufacturer=Oberthur Technologies;serial=;id=a!ԤppVj

which kinda looks OK but I am sure it's not supposed to be URL decoded manually and the ID looks like shit id=a!ԤppVj

Now my question is:
if openvpn --show-pkcs-11-ids outputs the encoded URI should the configuration be the same so they match? Or does OpenVPN supports RFC712 at all at the moment?
Config file:

View Originalclient

proto tcp-client

remote XXX.XXX.XXX.XXX 1194
remote-cert-tls server

tls-client
ca ca.crt

pkcs11-providers "C:\\Program Files\\OpenSC Project\\OpenSC\\pkcs11\\opensc-pkcs11.dll"
pkcs11-id 'pkcs11:model=PKCS%2315;token=Pin%20de%20la%20carte%20%28IAS-ECC%29;manufacturer=Oberthur%20Technologies;serial=;id=%1a%aca%a0%cb%0e%21%d4%a4p%9d%84p%bbVj%a8%fd%dc%14'
pkcs11-pin-cache 300

#nobind
ping 15
ping-restart 45
ping-timer-rem

persist-key
persist-key

verb 7

cipher AES-256-CBC
auth SHA1
pull

auth-nocache
auth-user-pass auth.cfg

I can connect with my static certificate no problem when I point OpenVPN to the path in the config file

View Originalclient

ca ca.crt
cert keys/vladislav.n.crt
key keys/vladislav.n.key

but I want to use the SmartCard instead (two factor auth. etc.)
Please good OpenVPN community assist me if you can. I can change the SmartCard if needed, because I guess that if the SmartCard issuer didn't addopted the mentioned RFC in their cards the serialized ID will be more "openVPN-readable" (as described here https://openvpn.net/community-resources ... ect-object whcih looks like "old" or non-RFC compliant serialized ID reported to work.

Anyone? ANY info will be greatly appreciated.

Hardware - ACR39T, SmartCard - Oberthur Idemia COSMOv7.0;
Software - Windows 10 Pro x64, OpenVPN 2.4.7, OpenSC 0.19;

P.S.: sorry for any spelling mistakes - non-english speaker here.

*EDIT: WORKING SOLUTION
I'll leave this here if it doesn't get deleted to have some kind of workaround if you stumble on the same issue.
Now, based on this question here https://superuser.com/questions/1352486 ... rtcard-2fa, I've decided to give it a chance and - what to know, it works! What I did was download https://build.openvpn.net/downloads/rel ... x86_64.exe and installed it.

Code: Select all

c:\Program Files\OpenVPN_2.3\bin>openvpn.exe --show-pkcs11-ids "c:\Program Files\Oberthur Technologies\AWP\DLLs\OcsCryptoki.dll"

The following objects are available for use.
Each object shown below may be used as parameter to
--pkcs11-id option please remember to use single quote mark.

Certificate
       DN:             CN=vladislav.n
       Serial:         48F488CEF20B068B5BE77FE85803B530
       Serialized id:  Oberthur\x20Technologies/Cosmo\x20v7\x2E0\x2E1\x20R2/000047FC39FC0000/vladislav\x2En/1AAC61A0CB0E21D4A4709D8470BB566AA8FDDC14

Now it looks like OpenVPN 2.3 generates the CORRECT serialized ID for use with the config, while the newest version 2.4.7 generates something ... strange which directly copied doesn't work. Working config follows:

View Originalclient

dev tun
proto tcp-client

remote XXX.XXX.XXX.XXX 1194
remote-cert-tls server

tls-client
ca ca.crt

pkcs11-providers "c:\\Program Files\\Oberthur Technologies\\AWP\\DLLs\\OcsCryptoki.dll"
pkcs11-id 'Oberthur\x20Technologies/Cosmo\x20v7\x2E0\x2E1\x20R2/000047FC39FC0000/vladislav\x2En/1AAC61A0CB0E21D4A4709D8470BB566AA8FDDC14'
pkcs11-pin-cache 300

#nobind
ping 15
ping-restart 45
ping-timer-rem

persist-key

verb 7

cipher AES-256-CBC
auth SHA1
pull

auth-nocache
auth-user-pass auth.cfg

PLEASE NOTE: I AM USING THE CARD ISSUED DLL PROVIDER BUT IT WORKS THE SAME WITH OPENSC PROVIDER

With the above configuration on the client side everything works as a charm. The OpenVPN asks for a PIN, after which the connection is successful. After you see the serialized ID generated from openVPN 2.3 you can delete it and use the newset version - it's only needed to see the correct serialized ID.

NOTE TO DEVERLOPERS IF THEY STUMBLE ON THIS: please fix with new versions

"TAGS" (LEAVING IT HERE AS MOST OF THE USERS WILL SEARCH DIRECTLY FOR THE ERROR):
PKCS#11: Cannot deserialize id 19-'CKR_ATTRIBUTE_VALUE_INVALID'
Cannot deserialize id 19-'CKR_ATTRIBUTE_VALUE_INVALID'
'CKR_ATTRIBUTE_VALUE_INVALID'

[TinCanTech]

Cannot load certificate "pkcs11:model=PKCS%2315;token=Pin%20de%20la%20carte%20%28IAS-ECC%29;manufacturer=Oberthur%20Technologies;serial=;id=%1a%aca%a0%cb%0e%21%d4%a4p%9d%84p%bbVj%a8%fd%dc%14" using PKCS#11 interface

It was suggested that this "serial=<empty>" may be the cause of the problem.

How did you create your certificate ?

[cheatera]

Cannot load certificate "pkcs11:model=PKCS%2315;token=Pin%20de%20la%20carte%20%28IAS-ECC%29;manufacturer=Oberthur%20Technologies;serial=;id=%1a%aca%a0%cb%0e%21%d4%a4p%9d%84p%bbVj%a8%fd%dc%14" using PKCS#11 interface

It was suggested that this "serial=<empty>" may be the cause of the problem.

How did you create your certificate ?

No, no, as stated - the static certificate works without problems when providing path to it. I've used Oberthur's software to upload generated p12:

Code: Select all

openssl pkcs12 -export -out vladislav.n.p12 -inkey PATH_TO_PRIVATE_KEY\\vladislav.n.key -in PATH_TO_CERT\\vladislav.n.crt -certfile PATH_TO_CERT_AUTH\\ca.crt

I've found workaround for this, check the original post's edit. Thanks anyway.

[TinCanTech]

This is probably not the work around you want to use ...

[cheatera]

@TinCanTech please explain

[TinCanTech]

After you see the serialized ID generated from openVPN 2.3 you can delete it and use the newset version - it's only needed to see the correct serialized ID.

This could really do with an explanation ..

[cheatera]

I'm sorry my dude I don't get what are you saying but nevertheless what I've posted is working.
May not be to most elegant or good solution - but it works. I can't understand if you are being sarcastic or anything. I had a problem, I've asked on the forums. I've found some working solution (as stated - not the best) - I'm posting it to anybody having the same problem.
This is my first and last post here, and last post on the topic.
GL with your sarcasm, it will lead you places.

[TinCanTech]

GL with your sarcasm

I could equally make the same comparison ..

Check out any Forum thread without a reasonable explanation and you will find an unanswered:
"Me2, how did you fix it?"

Obviously, the problem here is that you rolled back to openvpn 2.3 .. and for no apparent reason.
(Which is also why this is not an appropriate solution .. rolling back to 2.3 is a bad move)

We would prefer to explain/understand these dependencies ..

[becm]

An emty serial=; is indeed a problem and might be a (yet unknown) serialization error.
However output of the data represented in the working pkcs11-id in the new format has the correct serial value in my tests...

The following problem of a 16-character serial in the RFC7512 format also being rejecte due to a deserialization error is addressed since new OpenVPN 2.5 beta3 release.

@cheatera: It would be helpful if the root cause for the emty serial entry can be determined.
I'd be interested to figure this out, especially if the error persists when using the latest OpenVPN 2.5 beta.

[becm]

The empty serial has likely been caused by the known serialisation bug in the RFC7512 patch for pkcs11-helper.
Should have known (for obvious reasons!) this might also be the most likely issue for (hex) serial 000047FC39FC0000.

Fixed in current versions of OpenVPN for Windows and the affected Fedora package.